An assurance engagement is when a company asks an independent expert to give comfort on a metric or statement made by the company in exchange for a fee. Such assurance may be as a result of recommendation by investors seeking a third-party independent opinion, or to enhance (for example) their confidence in the company’s metrics and targets.
Following the launch of a number of new non-financial information reporting standards, it’s easy to perhaps accord ISAE 3000 less attention. However, ISAE is, and remains, a fundamentally vital standard, given the importance of internal controls for business sustainability.
ISAE 3000 is an important international standard which, for a number of reasons, provides an enormous business sustainability contribution.
ISAE 3000 is the standard for assurance engagements other than audits or reviews of historic financial information.
Issued by the International Auditing and Assurance Standards Board, ISAE 3000 consists of guidelines for the ethical behaviour, quality management and performance of an ISAE 3000 engagement.
Generally, ISAE 3000 is used for audits of internal control, sustainability and compliance with regulations and laws. ISAE 3402 states that assurance engagements should be performed in accordance with the ISAE 3000 standard.
ISAE 3000 recognises two types of report: a Type 1 report and a Type 2 report
A Type 1 report provides assurance on the sustainability of design, and the existence of controls.
A Type 2 report provides assurance on the suitability of design, existence and operational effectiveness.
Typically, an ISAE 3000 report generally comprises a description of the scope, the norm against which the report is tested, a description of the control framework and a detailed description of the risk management system and a controls matrix comprising risks, the related control objectives and the related controls.
The Revised ISAE 3000 standard became effective for assurance engagements for assurance reports dated on or after 15th December, 2015.
The benefits of an ISAE 3000 report
An ISAE 3000 report offers a number of distinct benefits supporting the sustainability of a business, including:
- Increased confidence amongst customers, investors and regulators
- Improved risk management and insight into internal processes
- Competitive advantage through an independent quality report
- Better compliance with laws and regulations
- Proof that an organisation treats data correctly and in compliance with GDPR
All of the above are essential components of a reliable, and sustainable company. For that reason, ISAE 3000 should be an essential consideration for any business.
So important is the impact of ISAE 3000 that a UK standard [ISAE (UK) 3000] was introduced and effective for assurance reports dated on or after 15th September, 2020.
There are a number of differences between the international, and the UK, standard, with UK edits reflecting the facts that:
The firm and its personnel are subject to ethical requirements from the FRC’s Ethical Standard, as well as sources such as the ICAEW (Institute of Chartered Accountants in England and Wales) Code of Ethics. The changes to the ethical requirements apply only to public interest assurance engagements specified by the FRC (Financial Reporting Council) because the FRC considers an audit level of independence to be appropriate for such engagements. There are a number of additional matters addressed in the FRC’s Ethical Standard, including:
Financial interests held as trustee;
Financial interests held by pension schemes;
Management roles with an entity relevant to an engagement;
Loan staff assignments;
Partners and engagement team members joining an entity relevant to an engagement;
Governance role with an entity relevant to an engagement;
Employment with the firm;
Long association of the firm with engagements and entities relevant to engagements;
Remuneration and evaluation policies
A number of subject-matter-specific assurance standards also issued by IASSB (International Auditing and Assurance Standards Board) were not adopted by the FRC but my be applied voluntarily. Where a subject-matter-specific assurance standard is applied to the subject of a particular engagement, it is applied in addition to ISAE 3000 (Revised). Complying with ISAE (UK) 3000 would achieve the need to comply with the international standard.
The subject-matter-specific standards are:ISAE 3400: The Examination of Prospective Financial Information
ISAE 3402: Assurance Reports on Controls at a Service Organisation
ISAE 3410: Assurance Engagements on Greenhouse Gas Statements
ISAE 3420: Assurance Engagements to Report on the Compilation of Pro Forma Financial Information Included in a Prospectus
A European perspective
The European Commission (EC) adopted a proposal for the Corporate Sustainability Reporting Directive (CSRD) to further strengthen sustainability reporting.
The EC also introduced an EU-wide requirement for limited assurance on sustainability information.
Assurance can be of two types: Limited assurance and Reasonable assurance.
In a limited assurance engagement, the assurance-provider reduces the risk of material misstatement to an acceptably low level in the circumstances of the engagement.
In a reasonable assurance engagement, the assurance-provider obtains sufficient evidence to reduce the risk of material misstatement to an acceptably low level.
In both cases ISAE 3000 deploys professional judgement as an important element of reaching an appropriate conclusion.
Conditions of an ISAE 3000 assurance report
Of course, the conditions governing whether assurance can be provided demand that the reported information must be verifiable:
- With appropriate subject matter and suitable reporting criteria
- With effective and properly managed internal processes and controls
The International Standard on Assurance Engagements (ISAE) 3000 (Revised) is the standard mostly used when dealing with sustainability information assurance, although there is no legal requirement to use ISAE 3000 at European level. However, EU Member States such as France, Italy and Spain used ISAE 3000 as the basis for developing their national standards, as has the United Kingdom.
The CSRD has introduced an EU-wide requirement for limited assurance on sustainability information, driving adoption of ISAE 3000 (Revised) and ISAE (UK) 3000.
According to ISAE 3000, an assurance engagement requires the following elements to exist:
Suitable roles and responsibilities of the involved parties
Appropriate underlying subject matter
Suitable reporting criteria that exhibit certain characteristics to be met for an assurance engagement – relevance, completeness, reliability, neutrality, comprehension
Effective and properly managed internal processes and controls to ensure the information to be reported is underpinned by sufficient appropriate evidence
Assurance report
ISAE 3000 describes the main elements to be included in an assurance report as:
A description of the level of assurance achieved (limited or reasonable)
The assurance engagement’s scope and subject matter
Significant inherent limitations associated with measuring the underlying subject matter against the applicable criteria (if applicable)
The company’s, and the assurance provider’s, respective responsibilities, naming the applicable assurance standards and confirming adherence to professional requirements and standards as applicable
Compliance statements with:
ISAE
The quality control/quality management system requirement (ISQC1/ISQM1)
The IESBA (International Ethics Standards Board for Accountants) Code independence and other ethical requirements, or other professional code
The work that has been performed as the basis for reaching a conclusion (sites included, processes, data)
The assurance service provider’s conclusion and substantiation, either unmodified or modified
ISAE 3000 for a sustainable future
ASAE 3000 offers sound good practice for non-financial sustainability assurance engagements.
It is largely intuitive and logical.
It will enhance credibility and trust.
It is a standardised assurance framework.
It leads to improved quality of information.
It supports non-financial reporting trends.
It is flexible and broad in scope.
It complies with international best practices. It promotes accountability and governance.
It is beneficial for stakeholder communication.
For all these reasons, for any sustainable business, ISAE 3000 (Revised) and ISAE (UK) 3000 provide the assurance any responsible business should demand.
Contact us
For more information about our Sustainability & ESG services, please contact the team.
View our related insights
EFRAG announces major simplifications levers for sustainability reporting
Mark Lumsdon-Taylor
Executive Development & Sustainability Lead
Looking forward to ISSA (UK) 5000
Mark Lumsdon-Taylor
Executive Development & Sustainability Lead
The UK and the ISSB (International Sustainability Standards Board)
Mark Lumsdon-Taylor
Executive Development & Sustainability Lead
